Massive ATM Data Breach Hits India: 3.2 Million Cards Affected

I really hope you did not brush aside a message alert that you may have received from your bank urging you to change your ATM’s PIN at the earliest. In case if you haven’t worked on it already, you might want to check in on your account real soon. An ATM data breach just ripped a massive hole in the banking ecosystem.
Last week, on Wednesday, it was reported that a massive debit card hack hit major Indian banks, like HDFC, ICICI, Yes Bank, Axis Bank, and SBI, compromising as many as 3.2 million debit cards. According to a report by the Economic Times, this data breach may well be among the biggest financial data hacks in the country.
And the Chinese may have some explaining to do this time around (unauthorized transactions were reported from their country).

According to HuffPost India in Wednesday’s ATM data breach, of the total cards affected, 2.6 million are said to be on the Visa and MasterCard platform and the remaining 600,000 on the RuPay platform. This ATM data breach is said to have originated from a malware that was introduced in systems of Hitachi Payment Services that enabled hackers to steal card information and eventually funds; the nature of the malware has not been revealed yet.
Based on initial analysis, it is being speculated that the malware had access to the HSM (hardware security module) cards that receive card information and the PIN code. It apparently took about six weeks to detect the breach, by which time several compromising transactions had already taken place.
Hitachi provides ATM, point of sale (PoS), and other services that manage ATM network processing for Yes Bank. Though, Hitachi hasn’t been reached for comment yet.
The reason why card holders of different banks have been impacted is that Yes Bank, despite having a small number of ATMs, sees a large number of third-party transactions on its machines. An inquiry has already been initiated by the National Payments Council of India (NPCI) to look into the servers and systems of the banks affected.
NPCI Managing Director, A.P. Hota said, “Though most of the suspected fraudulent transactions happened in the Visa and MasterCard network, we thought it would be best to do a forensic audit of the entire network. This will help us find out where the compromises have happened.”
Though, HDFC had an inkling of the attack from before. Its spokesperson said, “Besides advising those customers who we know have used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN, we are advising our customers to use only HDFC Bank ATMs as we believe security controls at some of the other bank ATMs may not be at par with HDFC Bank ATMs.”
He further added, “We take this opportunity to reiterate that it’s always prudent to change ATM PINs from time to time. It prevents misuse.”
SBI may be dealing with the worst of it, though. According to Times of India, SBI is set to reissue 600,000 debit cards as a result of the aftermath of this security breach. Besides, it has requested customers to change their PIN numbers as well.
Scary stuff, eh?
What you just read about was a case of a malicious cyber attack on our banking system, or more popularly known as a “jackpotting attack,” a concept first introduced by the late Barnaby Jack, director of research at IOActive, at the Black Hat USA Conference (2010) in Las Vegas.
According to Barnaby, in the past, the most common cybercriminal attacks have happened on cash machines and were generally physical robberies in nature. Adding skimmers to steal users’ ATM card data, or even stealing the machine itself are some of the most popular hacks. This kind of reminds me of a hilarious incident that happened about a month ago: Some chaps stole a passbook printing machine instead of the ATM!
Definitely not the brightest folks in my opinion. But mind you, fraudsters can get very innovative whenever they have to.
Jack in his presentation, way back in 2010, demonstrated a remote administration tool, dubbed Dillinger, and a rootkit, known as Scrooge. Dillinger allows a person to easily select known ATMs and retrieve data or send payloads, while Scrooge, which can be sent to an ATM as a payload, overwrites the system’s programming to allow a person to control the machine.
Most standalone ATMs run on Windows, but Jack stressed that the vulnerabilities he found were in the proprietary cash management software and not in the operating system. A compromised cash machine can be controlled by a person who inserts a card with special codes stored on the magnetic stripe or who types a code on the ATM.
Years later, money mules are still on a roll with jackpotting attacks of this kind, encouraged mostly by ATM operators’ slow adoption of the EMV technology (a standard created by Europay, MasterCard, and Visa for smart payment cards and for ATMs), lax physical security, reluctance to upgrade outdated hardware, existence of middleware that creates attack opportunities, and a generally relaxed attitude.
All of that is a deadly cocktail for a potential ATM data breach.
In April this year, Trend Micro reported that the banking industry is increasingly falling prey to ATM malware (as also seen in the case discussed here) because of the growing popularity of hacking as a toolset for committing crimes among new-age criminals.

How did ATM malware become ATM data breach fraudsters’ cocaine?

Trend Micro and Europol’s European Cybercrime Center (EC3) together looked at some of the deadliest malware doing the rounds of ATMs at the moment. Refer to the map below for the origin of such malicious code and their families.

Image courtesy: Trend Micro

Malware (or skimmers) can be characterized by the manufacture-type and specific malware capabilities, i.e., whether they are used for skimming a machine for user input, such as card numbers and PIN codes, or for actually dispensing the cash itself. And surprisingly enough, installing malware seems like a child’s play. All one needs is a USB or a CD-drive!
A couple of years ago, Symantec researchers described an ATM malware called Ploutus that would cause ATMs to dispense cash after being sent commands via an SMS. Though, the malware had to be manually installed by opening up ATM machines and attaching a phone to the hardware via USB.
A joint research carried out by Trend Micro and Europol’s European Cybercrime Center (EC3) blamed it outright on outdated operating systems such as Windows XP® that cannot receive updates on security patches anymore. ATM vendors’ decision to employ middleware that provides Application Programming Interfaces (APIs) to communicate with a payment terminal or ATM’s peripheral devices (such as the PIN pad, cash dispenser, etc.), regardless of the model, has also spelled death for them.
This middleware is known as the eXtensions for Financial Services (XFS). Skimmers exploit the XFS technology by harvesting prior ATM users’ magnetic stripe data or by simply dispensing the cash.
Another cause of worry is that the deadline for ATMs to become EMV compliant is still a whole year away. Meanwhile, the ATM data breach events have reached record levels (card skimming being the most popular) and are showing absolutely no signs of slowing down.

A recent collection of data from RBR (Retail Banking Research) says that the global installed ATM base is expected to reach four million by 2020, and with that ATM fraud is bound to shoot up.
Countries should get used to the idea of getting slammed with millions of dollars in losses until ATMs all over do not become EVM-compliant.
Keep visiting www.acadgild.com for more updates on the courses.